A new bot family was found in the wild around April this year. This family was named “Avzhan.” Avzhan malware, detected by Trend Micro as Mal_Scar-1, mostly affected Asia where most of the affected users resided.

After installation, it deletes its original copy then executes the copy it installed. It registers itself as a service to run at every system startup, as shown by the service named Q MUSCIC below.

This malware tries to connect to the following domains to receive instructions from botnet herders:

avzhan1.{BLOCKED}2.org

ei0813.{BLOCKED}2.org

wanmei8013.{BLOCKED}2.org

xhsb.{BLOCKED}2.org

These domain names are registered on a well-known China-based dynamic DNS service. The IP addresses also lead to ISPs in China.

As is typical of botnet zombies, Mal_Scar-1 can execute various commands received from its command-and-control (C&C) servers, including downloading and executing potentially malicious files. This also allows complete takeover of users’ systems.

In addition, it also steals certain information about users’ systems. This stolen information is part of the data sent back to the botnet’s servers, which includes the following:

Computer name

CPU speed

Language used

Memory size

Windows version

On their own, the behaviors of Azvhan bots do not differ too much from other older, more established malware families. However, its emergence highlights the continuing evolution of malware, as new threats continually present themselves over time.

Though this malware is already proactively being detected by Trend Micro as Mal_Scar-1, some new variants are still being encountered though the number of new infections has significantly decreased.

Hat tip to Arbor Networks for first writing about the discovery of this new bot here.

Share this article

This entry was posted
on
Friday, September 24th, 2010
at
5:27 am and is filed under
Bad Sites, Malware .
Both comments and pings are currently closed.